As DefCon asks Feds to take “time-out,” Black Hat welcomes NSA chief

A year after DefCon appearance, Gen Alexander will keynote Black Hat.

General Keith Alexander, the Director of the NSA and Commander of the DOD's US Cyber Command, has been announced as the keynote speaker at the upcoming Black Hat USA security conference at Caesar's Palace in Las Vegas. The announcement comes on the heels of a request by Jeff Moss, organizer of the DefCon hacker conference, that federal employees take a "time-out" from attending DefCon this year because of high tensions in the wake of revelations made by former NSA contractor Edward Snowden about the NSA's widespread surveillance programs.

Black Hat occurs the same week as DefCon, just a mile away. But while the two events are both focused on computer and network security (or the lack thereof), they have totally different audiences and personalities. Black Hat is produced by UBM Tech, the media company that owns trade publications such as InformationWeek and runs the Interop technology conference. DefCon, on the other hand, is a "hacker convention," not a security convention, and tends to welcome a more anarchic demographic.

And while Moss sees the glass as half-empty in the wake of the Snowden leaks, the Black Hat conference's management sees it as half full. "We are honored to have General Alexander join us this year at Black Hat in Las Vegas for the first time," Black Hat's general manager Trey Ford told The Guardian. "We couldn't have asked for a better time to welcome him. The security and intelligence communities have common interest in protecting international critical infrastructure and the Internet at large. We both have an acute interest in defining and defending privacy."

This is a rare public speaking engagement for Alexander, who appeared for the keynote at last year's DefCon. It was that appearance that may have triggered some of the unease Moss expressed over federal agencies attending DefCon. In a response to a question at DefCon last year, Alexander said that allegations that the NSA had "millions or hundreds of millions of dossiers on people is absolutely false." That statement prompted inquiries from the Senate Intelligence Committee over whether the NSA collected data on domestic targets. On March 12, Director of National Intelligence James Clapper replied to a question from Sen. Ron Wyden on the subject during a hearing, saying that NSA did "not wittingly" collect data on US citizens. Clapper sent a letter of apology for the statement to Sen. Diane Feinstein, the chairman of the Senate Intelligence Committee, on June 21.

Well, this should prove interesting: the business/security conference welcomes the alphabet agencies, the hacker/standalone one doesn't. Wondering which one will sway (if to any degree) public sentiment.

While this is probably a simple way for Black Hat to capitalize on the decision of competing event, it'll be interesting to see how the experiment plays out. Will a 'time-out' be useful, letting cooler heads prevail after a bit of separation, or will confronting the issues now, essentially a 'strike while the iron's hot' mentality, lead to a better system for everyone? I dunno, but it'll be exciting.

While this is probably a simple way for Black Hat to capitalize on the decision of competing event, it'll be interesting to see how the experiment plays out. Will a 'time-out' be useful, letting cooler heads prevail after a bit of separation, or will confronting the issues now, essentially a 'strike while the iron's hot' mentality, lead to a better system for everyone? I dunno, but it'll be exciting.

Well, one things for sure, choosing not to communicate with each other impedes constructive progress.

While this is probably a simple way for Black Hat to capitalize on the decision of competing event, it'll be interesting to see how the experiment plays out. Will a 'time-out' be useful, letting cooler heads prevail after a bit of separation, or will confronting the issues now, essentially a 'strike while the iron's hot' mentality, lead to a better system for everyone? I dunno, but it'll be exciting.

Well, one things for sure, choosing not to communicate with each other impedes constructive progress.

I think that the NSA needs to start talking first. Constructive progress or not.

While this is probably a simple way for Black Hat to capitalize on the decision of competing event, it'll be interesting to see how the experiment plays out. Will a 'time-out' be useful, letting cooler heads prevail after a bit of separation, or will confronting the issues now, essentially a 'strike while the iron's hot' mentality, lead to a better system for everyone? I dunno, but it'll be exciting.

Well, one things for sure, choosing not to communicate with each other impedes constructive progress.

I think that the NSA needs to start talking first. Constructive progress or not.

Conference dis-invites is not exactly a helpful gesture towards that goal, now is it.

Wired had a very interesting article about Gen. Alexander this past month. Gotta say that guy scares the hell out of me. Tons of power. Tons of power that nobody is allowed to know about.

'quis custodies ipsos custodes' - Who watches the watchmen? Him among others, yes. But, never fear, it is all for your safety and if you haven't done anything wrong you have nothing to fear but fear itself. I'm really hoping that he's going to underestimate his audience, as government types typically do, and we end up with some excellent viewing material later on.

Well, one things for sure, choosing not to communicate with each other impedes constructive progress.

Given that Gen. Alexander showed up at Defcon as an honored keynote speaker last year and blatantly lied to everyone in response to a fairly basic and reasonable question (and also told essentially the same lie in Congressional testimony), I'm not sure what constructive progress is achieved from inviting him and his employees back the next year. How can you have a conversation with a serial liar?

Well, one things for sure, choosing not to communicate with each other impedes constructive progress.

Given that Gen. Alexander showed up at Defcon as an honored keynote speaker last year and blatantly lied to everyone in response to a fairly basic and reasonable question (and also told essentially the same lie in Congressional testimony), I'm not sure what constructive progress is achieved from inviting him and his employees back the next year. How can you have a conversation with a serial liar?

That's what happens when the declassified answer is "no" and the classified answer is "yes." The pat military answer to a question about a classified subject is "I can neither confirm nor deny," an answer which has gotten pushed aside by a generation of flag officers who earned their stars during the Bush administration. Full disclosure: I am a former Navy officer, and was a command security manager.

While this is probably a simple way for Black Hat to capitalize on the decision of competing event, it'll be interesting to see how the experiment plays out. Will a 'time-out' be useful, letting cooler heads prevail after a bit of separation, or will confronting the issues now, essentially a 'strike while the iron's hot' mentality, lead to a better system for everyone? I dunno, but it'll be exciting.

Well, one things for sure, choosing not to communicate with each other impedes constructive progress.

I think that the NSA needs to start talking first. Constructive progress or not.

Conference dis-invites is not exactly a helpful gesture towards that goal, now is it.

Although it might be literally true that "Black Hat occurs the same week as DefCon" this statement seems to imply that the conferences are concurrent. Black Hat USA "briefings" run from July 31 to August 1, and DEFCON runs from August 1 to August 4. Plus, the schedule for the first, and overlapping, day of DEFCON is usually much thinner than the rest of the conference. Both conferences were started by Moss, and they are generally considered to be back-to-back conferences. For example, the Black Hat website lets registrants also sign up for DEFCON. Some other smaller security conferences, such as BSidesLV (July 31 to August 1), are also happening that week.

Also, it's incorrect that Black Hat and DEFCON have "totally different audiences." Many people attend both conferences, and they are scheduled accordingly. However, with Black Hat being the more "corporatized" of the two, it is much more expensive than DEFCON (nearly 10x just for the conference fee, and hotel rates are higher at the selected venue) since many attendees are there on their employers' tabs. The expense keeps a fair number of the more independent DEFCON attendees from coming for both. Maybe the most accurate way to put it is that there are many Black Hat attendees who stick around to attend DEFCON, such as federal employees.

Well, one things for sure, choosing not to communicate with each other impedes constructive progress.

Given that Gen. Alexander showed up at Defcon as an honored keynote speaker last year and blatantly lied to everyone in response to a fairly basic and reasonable question (and also told essentially the same lie in Congressional testimony), I'm not sure what constructive progress is achieved from inviting him and his employees back the next year. How can you have a conversation with a serial liar?

That's what happens when the declassified answer is "no" and the classified answer is "yes." The pat military answer to a question about a classified subject is "I can neither confirm nor deny," an answer which has gotten pushed aside by a generation of flag officers who earned their stars during the Bush administration. Full disclosure: I am a former Navy officer, and was a command security manager.

Then the correct answer is "I can't answer that." Not "You have nothing to worry about." Particularly not to congress.

Given that Gen. Alexander showed up at Defcon as an honored keynote speaker last year and blatantly lied to everyone in response to a fairly basic and reasonable question...

Just curious - what was the question and the response?

Sure. I was referring basically to the question/response in the article itself: "In a response to a question at DefCon last year, Alexander said that allegations that the NSA had "millions or hundreds of millions of dossiers on people is absolutely false.""

Following the Defcon keynote, Senator Wyden sent Gen. Alexander a letter, requesting clarification. The General's unclassified response makes it clear that his original answer was, at best, an absurd simplification, claiming that his denial at Defcon really only referred to dissemination of information about Americans. What Sen. Wyden knew then, and what we all know now, is that the NSA was collecting and warehousing large amounts of information about Americans. How is a list of everybody you've ever called not a dossier on you?

In May, Sen. Wyden quoted Gen. Alexander's Defcon remarks to DNI Clapper, who oversees the NSA, pointing out that the word dossier is vague and asks him an even more clear question: "Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?" We all know how Clapper answered that question.

Alexander said that allegations that the NSA had "millions or hundreds of millions of dossiers on people is absolutely false." He continued, wordlessly, "dossier is from the French word for folder, and we're using rows in a SQL database instead. Fürher, ahem, further, the database covers TENS of millions of citizens, so one or a hundred million would be way off base."

Alexander said that allegations that the NSA had "millions or hundreds of millions of dossiers on people is absolutely false." He continued, wordlessly, "dossier is from the French word for folder, and we're using rows in a SQL database instead. Fürher, ahem, further, the database covers TENS of millions of citizens, so one or a hundred million would be way off base."

It's off by a base of 10!

Also, SQL is boring, the NSA loves NoSQL, and obviously any followup questions about databases are false because they are actually uses a flat file system (ironically, using folders). Tada!

Letter of apology my ass. Give Clapper the Aaron Swartz treatment and let's see how he likes it...

Right. I read Clapper's not-pology. "I didn't understand the question, so it wasn't really a lie." If he didn't understand the question, we need someone a lot smarter in his chair. Otherwise, we need someone a lot more honest.

Personally, i'd like to see audience members silently stand up and turn their backs to him.

BAH! I'd like to see a youtube video of him being lynched and burned at the stake out in the parking lot. He lied to Congress under oath as a General in the US Military. If that's not breaking his oath, I don't know what is. He's the first one guilty of treason.

Personally, i'd like to see audience members silently stand up and turn their backs to him.

BAH! I'd like to see a youtube video of him being lynched and burned at the stake out in the parking lot. He lied to Congress under oath as a General in the US Military. If that's not breaking his oath, I don't know what is. He's the first one guilty of treason.

Do you understand that you are promoting a direct violence against an individual here? This reaction is not what is expected from civilized society but I am aware (thanks to Mark Twain) that this method has been practised in America not that long time ago.

Well, one things for sure, choosing not to communicate with each other impedes constructive progress.

Given that Gen. Alexander showed up at Defcon as an honored keynote speaker last year and blatantly lied to everyone in response to a fairly basic and reasonable question (and also told essentially the same lie in Congressional testimony), I'm not sure what constructive progress is achieved from inviting him and his employees back the next year. How can you have a conversation with a serial liar?

That's what happens when the declassified answer is "no" and the classified answer is "yes." The pat military answer to a question about a classified subject is "I can neither confirm nor deny," an answer which has gotten pushed aside by a generation of flag officers who earned their stars during the Bush administration. Full disclosure: I am a former Navy officer, and was a command security manager.

From experience I know that answering a question with "I can neither confirm nor deny" can get you in some REALLY hot water. The correct answer is, "Please talk to <predesignated person/department> about that".

EDIT : Missed the disclosure. How long ago was your service because my information is roughly 6 years old.

I've never been to DefCon or BlackHat, but do the feds actually contribute much? I'd find it hard to believe that they are going to intentionally divulge and new techniques. Do they just watch and listen and not give anything back except attendance fees? I suppose some welcome them in their role as recruiters.

While this is probably a simple way for Black Hat to capitalize on the decision of competing event, it'll be interesting to see how the experiment plays out. Will a 'time-out' be useful, letting cooler heads prevail after a bit of separation, or will confronting the issues now, essentially a 'strike while the iron's hot' mentality, lead to a better system for everyone? I dunno, but it'll be exciting.

Well, one things for sure, choosing not to communicate with each other impedes constructive progress.

There is no such thing as constructive progress with the Stasi. They need to be shut down and their archives opened to the public.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.